Here’s how to set up RADIUS authentication using FreeRADIUS and an Active Directory server. For example, this can be used for authenticating Wifi WPA Enterprise clients (when you connect to a WPA Enterprise Wifi network, you have to give your username and password, not only a password like when connecting to a WPA Personal network).

Note the JOINUSER and JOINUSERPASS variables, which should be set to a valid user who can get a Kerberos ticket. I also wrote a simple shell script called testjoin, which periodically tests the connection to the AD and restarts Samba and Freeradius if needed. Place it in /usr/local/bin/testjoin:

12345678910111213

#!/bin/bash

while[1]; doecho a |/usr/local/samba/bin/net ads testjoinresult=$?if[$result-ne0]; then
service samba restartsleep5
service freeradius restartfi

If the authentication was successful, it will display NT_STATUS_OK: Success (0x0). If something is not working, you should check Samba’s logs. If you want to manually join or leave the domain, you can use /usr/local/samba/bin/net join -U user, and /usr/local/samba/bin/net leave.

Replace YOURDOMAIN.LOCAL with your domain name, and GROUPID with the group ID of the AD group which the user must be the member of to authenticate. The –require-membership-of parameter is optional.

Edit /etc/freeradius/radiusd.conf and set the following:

12

user = root
group = root

This is necessary as winbindd is running as root, and FreeRADIUS must run as root to be able to use ntlm_auth.

Add this to the end of /etc/freeradius/clients.conf:

123

client 192.168.0.0/16{
secret = secret}

Replace the given IP and subnet mask with the IP range where authentication requests come from. Change the secret as well.

Change the default_eap_type to mschapv2 in /etc/freeradius/eap.conf (there are two lines where you have will find a default_eap_type setting). If you are using your RADIUS to authenticate WPA Enterprise clients, you won’t be able to use PAP as the clients’s won’t give clean text passwords, only password hashes. You can only verify authenticity with ntlm_auth using the hash.

Certificates

Empty the /etc/freeradius/certs directory, and create the random and dh files:

Restart FreeRADIUS with service freeradius restart (or start it in debugging mode with freeradius -X), and test authentication with radtest (run it on a machine which has an IP address in the range defined in clients.conf):

1

radtest -t mschap user pass radiusserverip 0 radiussecret

If you want to test a full EAP authentication (simulating a WPA Enterprise client), you can use eapol_test. See this tutorial. Test both PEAP and EAP-TTLS using MSCHAPv2.

A note on intermediate CA signed certificates

If you are using RADIUS for authenticating WPA Enterprise clients, some problems may occur with server certificates signed by an intermediate CA (like the certs which can be bought from GlobeSSL). For example, if a Windows client has no internet access and tries to connect to the Wifi network for the first time, it will reject the server’s cert, because it can’t verify it’s authenticity using OCSP (see this note). If it has internet access during connecting (for example, the Ethernet cable is plugged in), it will be able to verify the certificate chain, and add the server’s certificate to it’s cert database. You can also add root and intermediate CA certs to Windows clients manually. Rename the bundle file to something.crt and then double click on it.

On Ubuntu, you have to manually select the certificate bundle file when connecting to the Wifi network. The bundle file should contain the root CA and the intermediate CA certificates. A bundle file can be obtained from the SSL provider (for example, here’s GlobeSSL’s bundle file).

If you can get a certificate which is signed by a root CA directly, and that root CA is known by your clients’ operating systems, then you won’t have problems. However, these certs are very expensive, and more and more root CAs started to sign only intermediate CAs, so they are hard to get as well.